1. Cyber-Security:
A Shared
Responsibility
November 2013
Presented by:
Amy C. Purcell, Esq.
Scott L. Vernick, Esq.
© 2013 Fox Rothschild

2. Topics For Discussion
• What is a “data security breach”?
• Why do you need a response plan?
• Responding to a data security breach
• State statutory requirements
• Regulatory update
• Regulatory enforcement actions and litigation
2

3. 2012 Statistics
• In 2012, there were 621 confirmed data
breaches and 47,000 reported security
incidents.
– 92% perpetrated by outsiders
– 76% caused by exploiting weak or stolen
passwords
Source: 2013 Data Breach Investigations Report, Verizon.
3

4. 2012 Statistics
• The FTC instituted 109 consumer protection
enforcement actions.
– Up from 83 enforcement actions in 2011
• The FTC ordered civil penalties totaling $63.6 million.
– Up from $9.75 million in 2011
• Identity theft represents the largest category of
consumer complaint received by the FTC (approximately
18%).
Source: Federal Trade Commission’s 2013 Annual Highlights.
4

5. Cost Of A Data Security Breach
• In 2012, data breaches cost organizations an
average of $5.4 million.
– $188 per record
– Includes direct costs (communications, investigations,
legal) and indirect costs (lost business, public
relations)
– Compare to costs of having preventative measures in
place (e.g., policies related to passwords, firewalls,
mobile devices), training employees and encrypting
sensitive information
Source: 2013 Cost of Data Breach Study: United States,
Ponemon Institute.
5

6. Cost Of A Data Security Breach
• Data breaches resulting from a malicious attack yielded the
highest cost.
– $277 per record
• Organizations that had a formal incident response plan in
place prior to the incident reduced the cost by
approximately $42 per record.
Source: 2013 Cost of Data Breach Study: United States, Ponemon Institute.
6

7. 2012 Statistics
• Based upon a survey of more than 500 U.S. executives,
security experts and others from the public and private
sector:
– 38% of organizations do not have a methodology that
helps determine the effectiveness of their security
programs
– 52% of organizations do not conduct incident response
planning with their third-party supply chain
– 35% of organizations do not evaluate the security of
third-parties with which they share data or network
access
Source: Key Findings from the 2013 U.S. State
of Cybercrime Survey, PricewaterhouseCoopers
7

8. 2012 Statistics
– 12% of organizations do not have a formalized plan for
responding to a data security event; 17% do not have
a plan, but intend to have one in the next 12 months
and 19% do not know whether there is a plan in place
– 33% of organizations do not have a formalized plan for
responding to an insider data security event
– 25% of respondents stated that their organization is
“minimally” effective in managing and intervening in
threats by employees
Source: Key Findings from the 2013 U.S. State of Cybercrime Survey,
PricewaterhouseCoopers.
8

9. Types of Data Security Breaches
• Hacking
• Devices are lost or stolen
• Insider or employee misuse
• Unintended disclosure
• Security patches are not installed
• Malware
9

10. What Is The Objective?
Fill In The Gap
• Protection
• Compliance
• Audits
How to Manage the Data Security Breach
• Criminal prosecution
• Civil liability
10

11. Why Do You Need A
Response Plan?
Thoughtful and Prepared Reaction
Better Decision Making
Minimized Risk and Loss
11

12. Collect Relevant Information
• Data location lists
• Confidentiality
agreements
• Customer contracts
• Third-party vendor
contracts
• Information security
policy
• Ethics policy
• Litigation hold template
• Contact list
• Privacy policy
12

13. Create A First Response Team
• Information technology (computer & technology
resources)
• Information security (physical security & access)
• Human resources (private employee information
health & medical, payroll, tax, retirement)
13

14. Create A First Response Team
(cont’d)
• Legal counsel (in-house and/or outside counsel)
• Compliance
• Business heads (consumer information)
• Public relations/investor relations
14

15. Assign Tasks To Members
Of The First Response Team
•
•
•
•
•
•
Establish a point person
Identify key personnel for each task
Prioritize and assign tasks
Calculate timelines and set deadlines
Communicate with management
Establish attorney-client privilege for investigation
and communications
Project Management Is Critical
15

16. Determine The Nature
And Scope Of The Breach
•
•
•
•
Investigate facts
Interview witnesses
Notify law enforcement, FBI, USSS
Determine type of information that may have been
compromised; ongoing threat
• Identify and assess potential kinds of liability
• Identify individuals potentially at risk and determine state
or country of residence
Preserve Company’s Assets, Reputation and Integrity
16

17. Understand Data Breach
Notice Laws
• State laws:
–
–
–
–
–
–
–
What constitutes personal information?
When is a notice required?
Who must be notified? (e.g.,State Attorney General)
Timing?
What information must be included in the notice?
Method of delivering notice?
Other state specific requirements?
• Applicable industry-specific laws
• Applicable international laws
17

18. Determine Appropriate Notices
• Consumers
• Employees
• Law enforcement (Federal/State)
• Federal regulatory agencies
• State agencies (State Attorney General)
• Consumer reporting agencies
• Business partners
• Insurers
• Media
18

19. Data Security Breach Notification
• Alabama, Kentucky, New Mexico and South
Dakota are the only states that do not have a
data security breach notification statute.
• California statute served as a model for later
state statutes.
– State involvement began in California, after series of
breaches received national attention
– Passed in 2002, went into effect in mid-2003
19

20. Data Security Breach Notification
• “Any person or business that conducts business in
California, and that owns or licenses computerized
data that includes personal information, shall
disclose any breach of security of the system
following discovery or notification of the breach in
the security of the data to any resident of California
whose unencrypted personal information was, or is
reasonably believed to have been, acquired by an
unauthorized person.”
See Cal. Civ. Code § 1798.29.
20

21. Data Security Breach Notification
• “Personal information”
– First name or initial and last name with one or more of
the following (when either name or data element is
not encrypted):
• Social security number;
• Driver’s license number;
• Credit card or debit card number; or
• Financial account number with information such as
PINs, passwords or authorization codes.
21

22. Data Security Breach Notification
• Some states have expanded the definition of
“personal information” to include:
• California: Medical information or health insurance
information;
• Indiana: Biometric data;
• North Dakota: Mother’s maiden name, birth/death/marriage
certificate and electronic signature.
22

23. Data Security Breach Notification
• On September 27, 2013, California’s governor
signed S.B. 46 to expand the definition of
“personal information” to include:
– “a username or email address, in combination with a
password or security question and answer that would
permit access to an online account.”
– S.B. 46 is effective January 1, 2014.
23

24. Data Security Breach Notification
• “Breach of the security of the system”
– Some states expressly require notice of unauthorized
access to non-computerized data
• New York: “lost or stolen computer or other device
containing information” or “information has been downloaded
or copied”
• Hawaii and North Carolina: data includes “personal
information in any form (whether computerized, paper, or
otherwise)”
24

25. Data Security Breach Notification
• Generally, only need “reasonable” belief the
information has been acquired by unauthorized
person to trigger notification requirements.
– Certain states require risk or harm
• Arkansas: no notice if “no reasonable likelihood of harm to
customers”
• Michigan: no notice if “not likely to cause substantial loss or
injury to, or result in identity theft”
25

26. Data Security Breach Notification
• Distinguish between entity that “owns or
licenses” data and entity that “maintains” data
– Data owner has ultimate responsibility to notify
consumers of a breach
– Non-owners required to notify owners
26

27. Prepare State Law Notices
• General description of the incident
• Type of information that may have been
compromised
• Steps to protect information from further
unauthorized access
• Contact information (e.g., email address; 1-800
number)
• Advice to affected individuals (e.g., credit
reporting, review account activity)
27

28. Prepare State Law Notices
• Delivery method (e.g., certified letters, email,
website)
• Timing of notices
• Tailor notices based on recipient
• Use single fact description for all notices
28

29. Prepare Answers To Inquiries
• Draft FAQ’s with responses
• Establish hotline
• Assign group of contact employees
• Train employees to respond to inquiries
• Develop clear escalation path for difficult
questions
• Track questions and answers
29

30. Prepare Press Release
• Include the following information:
– Facts surrounding the incident
– Actions to prevent further unauthorized access
– Steps to prevent future data security breaches
– Contact information for questions
• Review by legal counsel
30

31. Consider Offering
Assistance To Affected Individuals
• Free credit reporting
• Free credit monitoring with alerts
• ID theft insurance
• Access to fraud resolution specialists
• Toll-free hotline
31

32. Regulatory Update
The FTC And Mobile Applications
• In February 2013, the FTC issued a Staff Report
titled “Mobile Privacy Disclosures: Building Trust
Through Transparency.”
• The Staff Report recommends ways that key
players in the mobile marketplace can better
inform consumers about their data practices.
32

33. Regulatory Update
The FTC And Mobile Applications
• The recommendations ensure that consumers get timely
and easy-to-understand disclosures about what data they
collect and how the data is used.
• The Staff Report makes specific recommendations to:
–
–
–
–
Mobile platform developers;
Application developers;
Advertising networks and analytics companies; and
Application developer trade associations.
33

34. Regulatory Update
California’s Right To Know Act
• Assembly Bill 1291
• Would require businesses that collect consumer
information to provide customers with the names
and addresses of all data brokers, advertisers and
others who were granted access to the
information, as well as details regarding the data
that was disclosed.
• Businesses would have 30 days to answer a
request for the information.
34

35. Regulatory Update
California’s Right To Know Act
• Applies to businesses who “retain” personal data
or disclose the information to a third party.
• Defines “retain” to mean “store or otherwise hold
personal information” whether the information is
collected or obtained directly from the consumer
or any third party.
35

36. Regulatory Update
California’s Right To Know Act
• Faced opposition by companies such as Google
and Facebook.
• Assemblywoman Bonnie Lowenthal delayed
action on the bill by turning it into a two-year bill.
• Lowenthal plans to spend the remainder of the
year educating her colleagues about the
importance of the proposed legislation.
• Assembly will consider AB 1291 again in 2014.
36

37. Regulatory Update
California And Mobile Applications
• In 2012, the California Attorney General entered
into an agreement with 6 companies whose
platforms comprise the majority of the mobile
apps market (i.e., Amazon, Apple, Google,
Hewlett-Packard, Microsoft and RIM).
• The agreement is designed to ensure that mobile
apps comply with the California Online Privacy
Protection Action (CalOPPA).
37

38. Regulatory Update
California And Mobile Applications
• CalOPPA requires operators of commercial websites and
online services, including mobile apps, who collect
personal information about California residents to
conspicuously post a privacy policy.
• In October 2012, the California Attorney General issued
100 enforcement letters to companies like Delta Airlines
who operate mobile apps.
• In December 2012, the California Attorney General filed
its first mobile app enforcement lawsuit against Delta
based upon alleged lack of privacy disclosures in its app.
38

39. Regulatory Update
California And Mobile Applications
• On January 10, 2013, the California Attorney
General issued a report titled “Privacy On the
Go: Recommendations for the Mobile
Ecosystem.”
• The Report announced suggested changes in
how companies address consumer privacy in
their mobile applications.
39

40. Regulatory Update
California And Mobile Applications
• Examples of the recommendations in the
California Attorney General’s Report:
– Personal information is not limited to name and email
address.
– Maintain list of what information an app will collect, as well as
how it will be used and stored.
– Only collect personal information necessary to an app’s
functionality.
– Privacy policies must be “readable.”
– Companies should not rely upon their general privacy policy.
40

41. Regulatory Update
California’s Data Breach Report
• On July 1, 2013, the California Attorney General
released a report that provides a summary of the
types of breaches reported to her office during
2012, as well as recommendations about how to
decrease the likelihood of experiencing a data
breach.
41

42. Regulatory Update
California’s Data Breach Report
• Key Findings:
– 131 data breaches affecting more than 500 California residents.
– Average incident involved information relating to 22,500
individuals.
– More than 2.5 million California residents at risk because of data
breaches in 2012.
– More than 1.4 million of those California residents would not be at
risk, if the data had been encrypted.
– More than half of the breaches were the result of intentional
intrusions by outsiders or by unauthorized insiders.
– The average reading level of the breach notices submitted was
14th grade.
42

43. Regulatory Update
California’s Data Breach Report
• Recommendations:
– Encrypt personal information when in transit, on
portable devices or in emails.
– Review and strengthen security controls used
to protect personal information.
– Prepare breach notification letters in an easyto-understand format.
43

44. Regulatory Update
California’s Data Breach Report
• Recommendations (cont’d):
– Offer mitigation products to victims of
breaches that involve social security numbers
or driver’s license numbers.
– Consider amending breach notification laws to
require reporting of breaches that involve
usernames and passwords.
44

45. Regulatory Update
California’s PII Initiative
• Initiative seeks to amend the California Constitution:
– Creates presumption that individual’s PII, including
financial or health information, is confidential when
collected for a commercial or governmental purpose.
– Requires collector of PII to use all reasonably available
means to protect it from unauthorized disclosure.
– Creates presumption of harm when PII is disclosed
without authorization, unless information is publicly
available or there is a countervailing compelling interest.
45

46. Regulatory Update
California’s PII Initiative
• On September 26, 2013, signature collection efforts
began.
• In order to quality for the November 2014 ballot,
proponents of the initiative must collect signatures of
807,615 registered voters by February 24, 2014.
• If voters approve the initiative, it would take effect in
January 2016.
46

47. Enforcement Actions
• Federal Trade Commission – Section 5 of FTC Act
– Enforce privacy policies and challenge data security
practices deemed “deceptive” or “unfair.”
• State Attorney General – State Notification Statutes
– Connecticut: “Failure to comply . . . shall constitute an
unfair trade practice . . .”
– Virginia: “The Attorney General may bring an action to
address violations.” Moreover, “nothing in this section
shall limit an individual from recovering direct economic
damages.”
• Litigation in federal and state courts.
47

48. Federal Trade Commission
• In June 2012, the FTC instituted litigation in federal
court against Wyndham Worldwide Corporation.
• In its complaint, the FTC alleges that, beginning in
April 2008 and through January 2010,
cybercriminals hacked into Wyndham’s computer
network and the networks of certain Wyndham
hotels, exposing credit card information of hotel
guests.
48

49. Federal Trade Commission
• The FTC alleges that hackers compromised
administrator accounts and installed memoryscraping malware to access credit card
information.
• The FTC contends that hackers compromised
more than 619,000 credit card account numbers
and that the incidents caused more than $10.6
million in fraud losses.
49

50. Federal Trade Commission
• Under Section 5 of the FTC Act, which prohibits
“unfair and deceptive acts or practices,” the FTC
alleges that:
– Wyndham’s data security protections amounted to
“unfair” trade practices because they were not
“reasonable and appropriate”; and
– Wyndham “deceived” consumers by stating on its
website that it used “commercially reasonable efforts” to
secure credit card information that it collects from
consumers.
50

51. Federal Trade Commission
• In an unprecedented move, Wyndham refused to
settle this dispute and filed a motion to dismiss the
complaint.
– Wyndham argues that the FTC is overreaching its authority
because “Section 5’s prohibition on ‘unfair’ trade practices
does not give the FTC authority to prescribe data-security
standards for all private businesses.”
– Wyndham argues that, because Congress has not yet
passed data security legislation, the FTC has the authority to
regulate data security in limited contexts (e.g., GrammLeach-Bliley Act).
51

52. Federal Trade Commission
– Wyndham further argues that Section 5 of the FTC Act
“provides no meaningful notice to regulated parties”
because it does not contain any guidance about what
practices might be deemed “unfair” or “deceptive.”
Similarly, the FTC has not published any rules or
regulations “explaining what data security practices a
company must adopt to be in compliance with the statute.”
– As such, “businesses are left to guess as to what they must
do to comply with the law.”
– This case is pending in the United States District Court for
the District of New Jersey (Civil Action No. 13-01887).
52

53. Federal Trade Commission
• This is the first litigated case challenging the FTC’s
authority under Section 5 of the FTC Act related to
data security.
• Generally, FTC enforcement actions result in a
settlement.
– FTC provides a defendant with a proposed draft
complaint.
– FTC “negotiates” the terms of a consent order.
53

54. Federal Trade Commission
Recent Enforcement Actions
• In the Matter of LabMD Inc., No. 102 9357
– Billing department manager installed LimeWire on
his computer, which exposed a report containing
personal information of 9,300 consumers.
– FTC alleges that LabMD failed to reasonably
protect consumers’ personal information and
issued civil investigative demands (CIDs).
– LabMD refused to respond to CIDs.
54

55. Federal Trade Commission
Recent Enforcement Actions
• In the Matter of LabMD Inc., No. 102 9357
– FTC filed a petition to enforce CIDs.
– LabMD answered the petition stating that the FTC lacks
statutory authority to tell companies how to secure their
data.
– The case is pending in the United States District Court for
the Northern District of Georgia (Civil Action No. 12-3005).
55

56. Federal Trade Commission
Recent Enforcement Actions
• In the Matter of TrendNet, No. 122 3090
– TrendNet sells Internet-connected video cameras.
– FTC alleges that TrendNet’s improper security
measures allowed hackers to webcast live feeds
from hundreds of its customers’ homes.
– TrendNet agreed to settle this action by entering
into a consent order with the FTC.
56

57. State Attorney General
• In May 2013, the Connecticut and Maryland
Attorneys General questioned LivingSocial Inc. about
the specifics of a recent data breach that exposed
the personal information of approximately 50 million
users.
• The Connecticut and Maryland Attorneys General
issued to LivingSocial 15 written questions regarding
the scope of the breach, as well as its privacy and
security policies.
57

58. State Attorney General
• Examples of questions posed by Attorneys General include:
–
–
–
–
–
–
–
–
Detailed timeline of the incident
Number of affected individuals in each state
Types of personal information compromised
Steps taken to determine that no financial or credit card information
was compromised
Steps taken to protect user passwords
How the company collects user data and how long it retains such data
Copies of any privacy policies
Plans developed to prevent another breach
58

59. State Attorney General
• Both Connecticut and Maryland have statutes
that require a company to report a data security
breach to the Attorney General, as well as to
individual consumers.
• Questions posed by these Attorneys General
provide guidance on issues companies should
consider in responding to a data security breach.
59

60. State Attorney General
Recent Action
• State of Connecticut v. Citibank, N.A.:
– Citibank’s Account Online Web-based service
permitted hackers to access multiple user accounts.
– Hackers accessed accounts by logging in with account
number and password, and then changing a few
characters in the URL bar to access additional
accounts.
– Exposed personal information of 360,000 Citibank
customers, including 5,066 Connecticut residents.
60

61. State Attorney General
Recent Action
• State of Connecticut v. Citibank, N.A.:
– Vulnerability may have existed since 2008.
– Citibank discovered breach on May 10, 2011.
– Fixed vulnerability on May 27, 2011, but did not begin notifying
consumers until June 3, 2011.
– Citibank settled action and agreed to:
• Pay $55,000 fine.
• Obtain a third-party data security audit of its online credit
card account system.
61

62. Litigation
Typical Claims By Plaintiffs
• Plaintiffs (consumers or employees) typically
allege the following causes of action:
– Common law claims of negligence, breach of
contract, breach of implied covenant or breach of
fiduciary duty.
– Claims for violations of state consumer protection
statutes – deceptive/unfair trade practices acts.
• Historically, courts have dismissed these cases
based upon lack of standing.
62

63. Litigation
Plaintiffs Lack Standing
• In re LinkedIn User Privacy Litig. (N.D. Cal. 2012):
– Plaintiffs filed complaint against LinkedIn in connection
with a data breach incident in which approximately 6.5
million users’ passwords and email addresses were stolen
and posted on the Internet.
– Plaintiff argued that they had standing to sue because they
suffered economic harm by not receiving the full benefit of
the bargain they paid for premium memberships.
– The Court granted LinkedIn’s motion to dismiss the
complaint.
63

64. Litigation
Plaintiffs Lack Standing
• In re LinkedIn User Privacy Litig. (N.D. Cal. 2012):
– The Court held that, “[t]o satisfy Article III standing,
plaintiff must allege:
• (1) an injury-in-fact that is concrete and particularized,
as well as actual and imminent;
• (2) that injury is fairly traceable to the challenged action
of the defendant; and
• (3) that it is likely (not merely speculative) that injury will
be redressed by a favorable decision.”
64

65. Litigation
Plaintiffs Lack Standing
• In re LinkedIn User Privacy Litig. (N.D. Cal. 2012):
– Plaintiffs failed to allege that “included in Plaintiffs’ bargain
for premium membership was the promise of a particular
(or greater) level of scrutiny that was not part of the free
membership.”
– Plaintiffs did not allege that they relied upon (or even read)
LinkedIn’s representations regarding safeguarding
personal information.
– Plaintiffs’ allegation that their LinkedIn passwords were
“publicly posted on the Internet” does not amount to a
“legally cognizable injury, such as, for example, identity
theft or theft of her personally identifiable information.”
65

66. Litigation
Plaintiffs Lack Standing
• In re Barnes & Noble Pin Pad Litigation (N.D. Ill. 2013):
– Skimmers on PIN pad devices at 63 locations in 9 states.
– Plaintiffs argued a wide variety of claims:
• Increased risk of identity theft;
• Untimely and inadequate notification;
• Improper disclosure of PII;
• Invasion of privacy;
• Increased risk of identity theft;
• Decreased value of PII;
• Anxiety and emotional distress; and
• Overpayment for products.
66

67. Litigation
Plaintiffs Lack Standing
• In re Barnes & Noble Pin Pad Litigation (N.D. Ill. 2013):
– Relying on the United States Supreme Court decision
in Clapper v. Amnesty Int’l USA Inc., No. 11-1025
(2013), the Court granted Barnes & Noble’s motion to
dismiss.
• Clapper: Held that private citizens lacked standing to
challenge 2008 amendments to the Foreign Intelligence
Surveillance Act because they could not show the
government had actually spied on them.
67

68. Litigation
Plaintiffs Lack Standing
• In re Barnes & Noble Pin Pad Litigation (N.D. Ill. 2013):
– Failed to prove “injury in fact” that is “certainly impending.”
• Speculation of future harm does not constitute actual
injury.
• Even if plaintiffs could prove statutory violations, such
violations would be insufficient to establish standing
without actual injury.
• Increased identity theft expenses cannot establish
standing for non-imminent harm.
• Emotional distress insufficient absent any imminent
threat to PII.
• Fraudulent charges were reimbursed.
68

69. Litigation
Plaintiffs Have Standing
• Ruiz v. Gap, Inc., 622 F. Supp. 2d 908 (N.D. Cal.
2009) (increased risk of identity theft constituted
sufficient “injury in fact” for purposes of standing).
• Krottner v. Starbucks Corp., 628 F. 3d 1139 (9th Cir.
2010) (“a credible threat of real and immediate harm
stemming from theft of a laptop containing
unencrypted personal information” sufficient to
demonstrate standing).
69

70. Litigation
Plaintiffs Have Standing
• Harris v. comScore (N.D. Ill. 2013):
– Plaintiffs alleged that defendants improperly obtained
and used personal information after consumers
downloaded and installed company’s software.
– comScore’s data collection violated the User License
Agreement and the Downloading Statement.
– Court found standing based upon statutory damages
available under the Computer Fraud and Abuse Act;
the Electronic Communications Privacy Act and the
Stored Communications Act.
70

71. Litigation
Plaintiffs Have Standing
• Courts in the Ninth Circuit have also found
standing based upon statutory damages:
– Gaos v. Google (N.D. Cal. 2012)(“the SCA provides a
right to judicial relief based only on a violation of the
statute without additional injury”).
– Cousineau v. Microsoft (W.D. Wash. 2012) (denying
motion to dismiss for lack of standing where plaintiff
alleged an SCA violation).
– In re Facebook Privacy Litig. (N.D. Cal. 2011)
(plaintiffs established standing when they alleged a
violation of the ECPA).
71

72. Litigation
Plaintiffs Cannot Allege Damages
th
• Krottner v. Starbucks Corp., 628 F. 3d 1139 (9 Cir.
2010).
– “[O]ur holding that Plaintiffs-Appellants pled an injury-infact for purposes of Article III standing does not establish
that they adequately pled damages for purposes of their
state-law claims.”
– “[A]ctual loss or damage is an essential element in the
formulation of the traditional elements necessary for a
cause of action in negligence.”
– Court dismissed case because Plaintiffs alleged “no loss.”
72

73. Litigation
Plaintiffs Cannot Allege Damages
• In re: Sony Gaming Networks and Customer Data
Security Breach Litig., MDL No. 2258 (S.D. Cal. 2011):
– Hackers accessed the personal information of millions of
Sony’s customers.
– Plaintiffs did not allege any identity theft or unauthorized
use of personal information “causing a pecuniary loss.”
– The Court granted Sony’s motion to dismiss and found
that, “without specific factual statements that Plaintiffs’
Personal Information has been misused, in the form of an
open bank account, or un-reimbursed charges, the mere
danger of future harm unaccompanied by present damage,
will not support a negligence action.”
73

74. Litigation
Plaintiffs Cannot Allege Damages
• Holmes v. Countrywide Fin. Corp., No. 08-0205, 2012
U.S. Dist. LEXIS 96587 (W.D. Ky. 2012) (Court
dismissed case where “scant evidence exists
demonstrating that [the theives] misused the customers’
information or engaged in any kind of financial fraud”).
• Worix v. MedAssets, Inc., 857 F. Supp. 2d 699 (N.D. Ill.
2012) (Court dismissed negligence claim because
Plaintiff did not allege that his personal information was
“misused”).
74

75. Litigation
Plaintiffs Allege Damages
• Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st Cir.
2011):
– Hackers stole 4.2 million credit and debit card numbers,
and security codes.
– Defendant acknowledged that more than 1,800 incidents
of identity theft resulted from the breach.
– Many victims had to pay to cancel their cards or purchase
credit monitoring services. Others incurred unauthorized
charges.
– Court denied motion to dismiss.
75

76. Litigation
Plaintiffs Allege Damages
• Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012):
– Thieves stole 2 laptops containing names, addresses,
phone numbers and social security numbers of 1.2 million
AvMed customers.
– Ten months after the incident, a bank account was opened
and credit card issued in the name of one of the AvMed
customers.
– Four months later, an E*Trade account was opened in the
name of another AvMed customer.
– Unauthorized purchases were made from both accounts.
– Court denied motion to dismiss because Plaintiffs alleged
“financial injury.”
76

77. Avoid Future Data
Security Breaches
• Understand what types of personal information is
collected, how, where and how long it is stored, and who
has access to it.
• Collect only personal information necessary to conduct
business.
• Retain personal information for shortest time necessary
to conduct business.
• Limit access to personal information.
• Encrypt data.
77

78. Avoid Future Data
Security Breaches
• Establish internal policies to protect personal
information.
– e.g., robust passwords, usage policies for laptops and
mobile phones, secure disposal policies.
• Comply with promises made to consumers or employees
regarding privacy and security of personal information.
– Disclosures about collection, maintenance, use and
dissemination of personal information must be accurate
and complete.
78

79. Avoid Future Data
Security Breaches
• Train employees.
• Conduct periodic audits.
• Update and revise policies and procedures regularly.
• Enhance technology to strengthen security and reduce
risk.
– e.g., strong firewalls, scans for vulnerabilities, up-to-date
anti-virus software.
• Use care when engaging third-party vendors and hold
them to high standards.
79

80. Amy C. Purcell
215.299.2798
apurcell@foxrothschild.com
Scott L. Vernick
215.299.2860
svernick@foxrothschild.com
80